@seanmozeik/tripwire 0.2.0 → 0.4.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@seanmozeik/tripwire",
-  "version": "0.2.0",
+  "version": "0.4.1",
   "description": "Opinionated hooks dispatcher for AI coding agents with configurable safety rules",
   "license": "MIT",
   "bin": {

package/src/dispatch.ts

@@ -19,7 +19,7 @@ import { BunRuntime } from '@effect/platform-bun';
 import { Cause, Effect, Exit, Schema } from 'effect';
 
 import { parseCommand } from './lib/bash';
-import { loadConfig, type Config } from './lib/config';
+import { getDefaultConfig, loadConfig, mergeWithDefaults, type Config } from './lib/config';
 import { type Decision, allow, merge } from './lib/decision';
 import {
   type BashInput,
@@ -48,9 +48,6 @@ import { pathProtect } from './rules/path-protect';
 import { postSecretScrub } from './rules/post-secret-scrub';
 import { readProtect } from './rules/read-protect';
 
-const RULE_TIMEOUT_MS = 250;
-const POST_RULE_TIMEOUT_MS = 5000; // Betterleaks subprocess can take longer
-
 const readStdin = async (): Promise<string> => {
   const chunks: Buffer[] = [];
   for await (const chunk of process.stdin) {
@@ -243,6 +240,25 @@ const runRules = (rules: readonly Rule[], timeoutMs: number): Effect.Effect<Deci
     return merge(decisions);
   });
 
+const runRulesSync = (rules: readonly Rule[]): Decision => {
+  if (rules.length === 0) {
+    return allow('no-rules');
+  }
+  return merge(rules.map((r) => r.fn()));
+};
+
+const decide = (event: HookEvent, config: Config = getDefaultConfig()): Decision => {
+  const mergedConfig = mergeWithDefaults(config);
+  const tool = normalizeToolName(event.tool_name ?? '');
+  if (event.hook_event_name === 'PreToolUse') {
+    return runRulesSync(collectPreToolUseRules(tool, event.tool_input, mergedConfig));
+  }
+  if (event.hook_event_name === 'PostToolUse') {
+    return runRulesSync(collectPostToolUseRules(tool, event.tool_response));
+  }
+  return allow('no-rules');
+};
+
 const handleBashAllow = (event: HookEvent, decision: Decision, config: Config): void => {
   // After the gate passes (allow or warn), apply rtk command-rewrite. If
   // Rtk doesn't change the command, fall through to normal allow / warn.
@@ -302,11 +318,9 @@ const program = Effect.gen(function* () {
     return;
   }
   const event = decodeExit.value;
-  const tool = normalizeToolName(event.tool_name ?? '');
 
   if (event.hook_event_name === 'PreToolUse') {
-    const rules = collectPreToolUseRules(tool, event.tool_input, config);
-    const decision = yield* runRules(rules, RULE_TIMEOUT_MS);
+    const decision = decide(event, config);
     if (decision.kind === 'deny' || decision.kind === 'ask') {
       writePreToolGate(event.hook_event_name, decision);
       return;
@@ -316,8 +330,7 @@ const program = Effect.gen(function* () {
   }
 
   if (event.hook_event_name === 'PostToolUse') {
-    const rules = collectPostToolUseRules(tool, event.tool_response);
-    const decision = yield* runRules(rules, POST_RULE_TIMEOUT_MS);
+    const decision = decide(event, config);
     if (decision.kind === 'deny') {
       writePostToolBlock(decision);
       return;
@@ -337,4 +350,15 @@ const handled = program.pipe(
   }),
 );
 
-BunRuntime.runMain(handled);
+if (import.meta.main) {
+  BunRuntime.runMain(handled);
+}
+
+export {
+  collectPostToolUseRules,
+  collectPreToolUseRules,
+  decide,
+  normalizeToolName,
+  runRules,
+  runRulesSync,
+};

package/src/index.ts

@@ -2,3 +2,5 @@ export type { Decision } from './lib/decision.ts';
 export type { HookEvent } from './lib/event.ts';
 export type { Config } from './lib/config.ts';
 export { allow, deny, ask, warn } from './lib/decision.ts';
+export { decide } from './dispatch.ts';
+export { getDefaultConfig, loadConfig, mergeWithDefaults } from './lib/config.ts';

package/src/lib/bash.ts

@@ -304,6 +304,220 @@ const extractInnerCommands = (cmd: string): string[] => {
   return inner;
 };
 
+// ── Exec-flag extraction (fd -x, find -exec, etc.) ───────────────────
+// Tools that take a subcommand on the same arg vector hide that
+// Subcommand from rule analysis. Pull it out, substitute the user-
+// Provided search root into the placeholder(s), and feed the
+// Reconstructed command back through parseCommand so every existing
+// Bash rule (deny / scoped-rm / redirect / etc.) sees it.
+
+const HOME_VAR_RE = /^\$\{?HOME\}?(?:\/|$)/;
+
+const pathLikeToken = (t: string): boolean => {
+  if (t === '' || t === '-') {
+    return false;
+  }
+  if (t === '/' || t === '~' || t === '.' || t === '..') {
+    return true;
+  }
+  if (
+    t.startsWith('/') ||
+    t.startsWith('~') ||
+    t.startsWith('./') ||
+    t.startsWith('../') ||
+    HOME_VAR_RE.test(t)
+  ) {
+    return true;
+  }
+  return false;
+};
+
+// Rank candidate search roots by how dangerous a `cmd <root>` invocation
+// Would be. Higher wins.
+const pathDangerScore = (t: string): number => {
+  if (t === '/') {
+    return 100;
+  }
+  if (t === '~' || HOME_VAR_RE.test(t)) {
+    return 90;
+  }
+  if (/^\/(etc|usr|bin|sbin|System|Library|var|boot|root|home)(\/|$)/.test(t)) {
+    return 80;
+  }
+  if (t.startsWith('/Users/')) {
+    return 70;
+  }
+  if (t.startsWith('/') || t.startsWith('~')) {
+    return 60;
+  }
+  if (t.startsWith('../')) {
+    return 40;
+  }
+  if (t === '..' || t === '.' || t.startsWith('./')) {
+    return 10;
+  }
+  return 50;
+};
+
+interface ExecSpec {
+  // Flag tokens that introduce a nested command, e.g. `-x` / `-exec`.
+  readonly execFlags: ReadonlySet<string>;
+  // Placeholder tokens the tool substitutes with each match path.
+  readonly placeholders: ReadonlySet<string>;
+  // Walk tokens[1..execFlagIdx) and return the most-suspicious search root
+  // The tool would feed into placeholders, or `.` if nothing path-shaped
+  // Is present.
+  readonly pickRoot: (tokens: readonly string[], execFlagIdx: number) => string;
+}
+
+// Fd's flag layout: flags can appear before or after the pattern/path
+// Positionals, and some flags consume a value (-e ts, -t f, -d 3). We
+// Need to skip those value tokens, otherwise `ts` is misread as a path.
+const FD_VALUE_FLAGS: ReadonlySet<string> = new Set([
+  '-e',
+  '--extension',
+  '-t',
+  '--type',
+  '-E',
+  '--exclude',
+  '-d',
+  '--max-depth',
+  '--min-depth',
+  '--exact-depth',
+  '-c',
+  '--color',
+  '--changed-within',
+  '--changed-before',
+  '-S',
+  '--size',
+  '-o',
+  '--owner',
+  '-j',
+  '--threads',
+  '-g',
+  '--glob',
+  '--format',
+  '--max-results',
+  '--ignore-file',
+  '--search-path',
+  '--base-directory',
+  '--path-separator',
+  '--and',
+]);
+
+const pickFdSearchRoot = (tokens: readonly string[], execFlagIdx: number): string => {
+  const candidates: string[] = [];
+  let i = 1;
+  while (i < execFlagIdx) {
+    const t = tokens[i]!;
+    if (FD_VALUE_FLAGS.has(t)) {
+      i += 2;
+      continue;
+    }
+    if (t.startsWith('-')) {
+      i++;
+      continue;
+    }
+    if (pathLikeToken(t)) {
+      candidates.push(t);
+    }
+    i++;
+  }
+  if (candidates.length === 0) {
+    return '.';
+  }
+  candidates.sort((a, b) => pathDangerScore(b) - pathDangerScore(a));
+  return candidates[0]!;
+};
+
+// Find's grammar: PATHs come first, before any flag-shaped token. Once we
+// Hit a `-`-prefixed token (a test predicate or action), no more paths.
+// `find` defaults to cwd if no path is given. We collect everything
+// Path-shaped in the prefix region as candidates.
+const pickFindSearchRoot = (tokens: readonly string[], execFlagIdx: number): string => {
+  const candidates: string[] = [];
+  for (let i = 1; i < execFlagIdx; i++) {
+    const t = tokens[i]!;
+    if (t.startsWith('-')) {
+      break;
+    }
+    if (pathLikeToken(t)) {
+      candidates.push(t);
+    }
+  }
+  if (candidates.length === 0) {
+    return '.';
+  }
+  candidates.sort((a, b) => pathDangerScore(b) - pathDangerScore(a));
+  return candidates[0]!;
+};
+
+const FD_SPEC: ExecSpec = {
+  execFlags: new Set(['-x', '-X', '--exec', '--exec-batch']),
+  placeholders: new Set(['{}', '{/}', '{//}', '{.}', '{/.}']),
+  pickRoot: pickFdSearchRoot,
+};
+
+const FIND_SPEC: ExecSpec = {
+  // `-ok` / `-okdir` prompt interactively per-match, but the executed
+  // Command is still constructed from agent-controlled input, so treat
+  // It the same as `-exec`.
+  execFlags: new Set(['-exec', '-execdir', '-ok', '-okdir']),
+  placeholders: new Set(['{}']),
+  pickRoot: pickFindSearchRoot,
+};
+
+const EXEC_SPECS: Readonly<Record<string, ExecSpec>> = {
+  fd: FD_SPEC,
+  fdfind: FD_SPEC,
+  find: FIND_SPEC,
+  gfind: FIND_SPEC,
+};
+
+const substitutePlaceholders = (
+  tokens: readonly string[],
+  spec: ExecSpec,
+  root: string,
+): string[] => tokens.map((t) => (spec.placeholders.has(t) ? root : t));
+
+const extractExecCommands = (seg: Segment): string[] => {
+  const spec = EXEC_SPECS[seg.head];
+  if (spec === undefined) {
+    return [];
+  }
+  const out: string[] = [];
+  const tokens = seg.tokens;
+  for (let i = 1; i < tokens.length; i++) {
+    if (!spec.execFlags.has(tokens[i]!)) {
+      continue;
+    }
+    // Collect tokens until the exec terminator (`;` or `+`, both shared
+    // By fd and find) or end of segment. shell-quote turns `\;` into the
+    // Literal string token `;`.
+    const inner: string[] = [];
+    let j = i + 1;
+    while (j < tokens.length) {
+      const t = tokens[j]!;
+      if (t === ';' || t === '+') {
+        break;
+      }
+      inner.push(t);
+      j++;
+    }
+    if (inner.length === 0) {
+      continue;
+    }
+    const head = inner[0]!;
+    if (spec.placeholders.has(head)) {
+      continue;
+    }
+    const root = spec.pickRoot(tokens, i);
+    out.push(substitutePlaceholders(inner, spec, root).join(' '));
+    i = j;
+  }
+  return out;
+};
+
 const parseCommand = (cmd: string): Segment[] => {
   let entries: ParseEntry[];
   try {
@@ -343,6 +557,24 @@ const parseCommand = (cmd: string): Segment[] => {
     }
   }
 
+  // Tools like `fd -x …` and `find -exec …` carry an inner subcommand
+  // On the same arg vector. Without extraction the executed command is
+  // Hidden and slips past every rule. Pull it out (with the user's
+  // Search root substituted into placeholders) and parse it as its own
+  // Segments so bash-deny et al. see it.
+  // Snapshot length: we push new segments into `out` from within the
+  // Loop, but should only scan the segments that existed pre-extraction
+  // To avoid re-processing extracted ones.
+  const preExtractLen = out.length;
+  for (let k = 0; k < preExtractLen; k++) {
+    const seg = out[k]!;
+    for (const sub of extractExecCommands(seg)) {
+      for (const innerSeg of parseCommand(sub)) {
+        out.push(innerSeg);
+      }
+    }
+  }
+
   return out;
 };
 

package/src/lib/config.ts

@@ -11,6 +11,10 @@ const BlockRuleSchema = Schema.Struct({
   pattern: Schema.String,
   message: Schema.String,
   action: Schema.optional(Schema.Union([Schema.Literal('deny'), Schema.Literal('ask')])),
+  requiresFlags: Schema.optional(Schema.Array(Schema.String)),
+  forbidsFlagValues: Schema.optional(
+    Schema.Array(Schema.Struct({ flag: Schema.String, values: Schema.Array(Schema.String) })),
+  ),
 });
 
 const RtkConfigSchema = Schema.Struct({
@@ -103,4 +107,4 @@ export type GitConfig = typeof GitConfigSchema.Type;
 export type SafePathsConfig = typeof SafePathsConfigSchema.Type;
 export type Config = typeof ConfigSchema.Type;
 
-export { CONFIG_PATH, ConfigSchema };
+export { CONFIG_PATH, ConfigSchema, getDefaultConfig, mergeWithDefaults };

package/src/rules/config-custom.ts

@@ -1,51 +1,160 @@
 // Config-based custom blocking/allowing rules.
 // Uses shell parsing utilities to match command patterns from config.
 
-import { parseCommand, type Segment } from '../lib/bash';
+import { hasBypass, parseCommand, type Segment } from '../lib/bash';
 import type { BlockRule } from '../lib/config';
 import { type Decision, allow, deny, ask } from '../lib/decision';
 
+const BYPASS_HELP = 'If this is intentional, append ` # tripwire-allow: <reason>` to the command.';
+
+const ALIASES: ReadonlyMap<string, string> = new Map([
+  ['add', 'create'],
+  ['new', 'create'],
+  ['edit', 'update'],
+  ['set', 'update'],
+  ['rm', 'delete'],
+  ['del', 'delete'],
+  ['remove', 'delete'],
+]);
+
+const canonical = (token: string): string => ALIASES.get(token) ?? token;
+
+// Strip directory prefix so an absolute or homebrew-style path matches its
+// Basename — `/opt/homebrew/bin/gog` and `gog` are the same command for
+// Policy purposes. shim's typed dispatcher resolves CLIs to absolute paths,
+// So matchers that compare `seg.head` literally would otherwise miss every
+// Rule for those invocations.
+const basename = (token: string): string => {
+  const idx = token.lastIndexOf('/');
+  return idx === -1 ? token : token.slice(idx + 1);
+};
+
+const flagPresent = (tokens: readonly string[], flag: string): boolean =>
+  tokens.some((t) => t === flag || t.startsWith(`${flag}=`));
+
+const flagValue = (tokens: readonly string[], flag: string): string | null => {
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i]!;
+    if (t === flag) {
+      return tokens[i + 1] ?? '';
+    }
+    if (t.startsWith(`${flag}=`)) {
+      return t.slice(flag.length + 1);
+    }
+  }
+  return null;
+};
+
+const subcommandTokens = (seg: Segment): string[] => {
+  const out: string[] = [];
+  const tokens = seg.tokens.slice(1);
+  for (let i = 0; i < tokens.length; i++) {
+    const t = tokens[i]!;
+    if (t.startsWith('-')) {
+      // Without per-CLI flag metadata, we conservatively treat
+      // `--flag value` / `-f value` as one option pair and `--flag=value`
+      // As one token. This keeps global selectors like `--account X`
+      // Out of the subcommand path, at the cost of not distinguishing
+      // Boolean flags that precede positional args.
+      if (!t.includes('=') && tokens[i + 1] !== undefined && !tokens[i + 1]!.startsWith('-')) {
+        i++;
+      }
+      continue;
+    }
+    out.push(t);
+  }
+  return out;
+};
+
 // Match a pattern against parsed segments using shell parsing.
 // This is more powerful than simple regex because it uses the same
 // Parsing logic as the rest of tripwire.
-const matchPattern = (segments: readonly Segment[], pattern: string): boolean => {
+const matchPattern = (segments: readonly Segment[], rule: BlockRule): boolean => {
+  const pattern = rule.pattern;
   const patternSegs = parseCommand(pattern);
   if (patternSegs.length === 0) {
     return false;
   }
 
-  const patternHead = patternSegs[0]!.head;
+  const patternTokens = patternSegs[0]!.tokens;
+  const patternHead = patternTokens[0];
+  if (patternHead === undefined) {
+    return false;
+  }
+  const patternSubcommands = patternTokens.slice(1);
 
-  // Simple head match for now - can be extended to match flags, args, etc.
   for (const seg of segments) {
-    if (seg.head === patternHead) {
+    if (basename(seg.head) !== basename(patternHead)) {
+      continue;
+    }
+
+    if (patternSubcommands.length > 0) {
+      const actualSubcommands = subcommandTokens(seg);
+      const pathMatches = patternSubcommands.every(
+        (p, i) =>
+          actualSubcommands[i] !== undefined && canonical(actualSubcommands[i]) === canonical(p),
+      );
+      if (!pathMatches) {
+        continue;
+      }
+    }
+
+    if ((rule.requiresFlags ?? []).some((flag) => !flagPresent(seg.tokens, flag))) {
+      continue;
+    }
+
+    const valueChecks = rule.forbidsFlagValues ?? [];
+    const valuesMatch = valueChecks.every((check) => {
+      const value = flagValue(seg.tokens, check.flag);
+      return value !== null && check.values.includes(value);
+    });
+    if (!valuesMatch) {
+      continue;
+    }
+
+    if (
+      patternSubcommands.length === 0 &&
+      rule.requiresFlags === undefined &&
+      rule.forbidsFlagValues === undefined
+    ) {
       return true;
     }
+
+    return true;
   }
   return false;
 };
 
 export const configCustom = (
   segments: readonly Segment[],
-  _cmd: string,
+  cmd: string,
   blockedCommands: readonly BlockRule[],
   allowedCommands: readonly BlockRule[],
 ): Decision => {
+  if (hasBypass(cmd)) {
+    return allow('config-custom');
+  }
+
   // Check allowed first (overrides blocks)
   for (const allowRule of allowedCommands) {
-    if (matchPattern(segments, allowRule.pattern)) {
+    if (matchPattern(segments, allowRule)) {
       return allow('config-custom');
     }
   }
 
   // Then check blocked
   for (const blockRule of blockedCommands) {
-    if (matchPattern(segments, blockRule.pattern)) {
-      return blockRule.action === 'deny'
-        ? deny('config-custom', blockRule.message)
-        : ask('config-custom', blockRule.message);
+    if (matchPattern(segments, blockRule)) {
+      const message = blockRule.message.includes('tripwire-allow')
+        ? blockRule.message
+        : `${blockRule.message} ${BYPASS_HELP}`;
+      return blockRule.action === 'ask'
+        ? ask('config-custom', message)
+        : deny('config-custom', message);
     }
   }
 
   return allow('config-custom');
 };
+
+export { matchPattern };